baseid-haip
The haip crate implements the OpenID4VC High Assurance Interoperability Profile, which constrains OID4VCI and OID4VP parameters to SD-JWT VC and ISO mdoc at high assurance levels, as required by eIDAS 2.0 EUDI Wallet deployments.
Key Features
Section titled “Key Features”- HAIP v1.0 profile —
HaipProfile::v1()provides the default configuration constraining formats todc+sd-jwtandmso_mdoc, algorithms to ES256/ES384/ES512/EdDSA, and requiring key binding - Format validation — checks credential format identifiers against the profile’s allowed list; rejects non-HAIP formats like
jwt_vc_json - Algorithm validation — checks signing algorithms against allowed JWA identifiers; rejects legacy algorithms like RS256
- Issuance request validation —
validate_issuance_requestchecks format, proof type, and algorithm against HAIP constraints - Presentation request validation —
validate_presentation_requestchecks response mode and client ID scheme against HAIP constraints - Constraint results —
ValidationResultreturns a boolean plus a list of human-readable violation messages
Quick Start
Section titled “Quick Start”use baseid_haip::profile::HaipProfile;use baseid_haip::constraints::{validate_issuance_request, validate_presentation_request};
let profile = HaipProfile::v1();
// Validate an OID4VCI credential requestlet result = validate_issuance_request( &profile, "dc+sd-jwt", // format Some("jwt"), // proof_type Some("ES256"), // algorithm);assert!(result.valid);
// Reject a non-HAIP formatlet result = validate_issuance_request(&profile, "jwt_vc_json", Some("jwt"), Some("ES256"));assert!(!result.valid);assert!(result.violations[0].contains("jwt_vc_json"));
// Validate an OID4VP presentation requestlet result = validate_presentation_request( &profile, Some("direct_post"), // response_mode Some("x509_san_dns"), // client_id_scheme);assert!(result.valid);
// Reject fragment response modelet result = validate_presentation_request(&profile, Some("fragment"), None);assert!(!result.valid);HAIP v1.0 Default Profile
Section titled “HAIP v1.0 Default Profile”| Parameter | Allowed Values |
|---|---|
| Credential formats | dc+sd-jwt, mso_mdoc |
| Signing algorithms | ES256, ES384, ES512, EdDSA |
| Proof types | jwt |
| Key binding | Required |
| Assurance level | High |
| Client ID schemes | x509_san_dns, x509_san_uri, verifier_attestation |
| Response modes | direct_post, direct_post.jwt |
Key Types
Section titled “Key Types”| Type | Description |
|---|---|
HaipProfile | Profile configuration with allowed formats, algorithms, and schemes |
HaipFormat | Credential format enum: SdJwtVc (dc+sd-jwt) or MsoMdoc (mso_mdoc) |
HaipAlgorithm | Signing algorithm enum: ES256, ES384, ES512, EdDSA |
ValidationResult | Result with valid boolean and violations list |
Validation Functions
Section titled “Validation Functions”| Function | Checks |
|---|---|
validate_issuance_request | Format, proof type presence (if key binding required), proof type value, algorithm |
validate_presentation_request | Response mode, client ID scheme |
HaipProfile::is_format_allowed | Whether a format string is in the allowed list |
HaipProfile::is_algorithm_allowed | Whether a JWA algorithm string is in the allowed list |
Related Crates
Section titled “Related Crates”- baseid-oid4vci — credential issuance protocol constrained by HAIP
- baseid-oid4vp — presentation protocol constrained by HAIP response modes and client ID schemes
- baseid-eidas — eIDAS 2.0 compliance types; HAIP is required for EUDI Wallet interoperability
- baseid-mdl — mDL format (
mso_mdoc) validated by HAIP profile